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© Method for establishing licensor changeable limits on software usage. 



© A system and method for establishing licen- 
sor changeable limits on shared software usage 
without the licensor having access to the sys- 
tem on which the shared software is running. 
An encrypted numerical limit value is embedded 
in the licensed software (program); when the 
program is executed ("accessed"), as a first 
step, the program decrypts the limit value (204) 
and compares it to the number of users cur- 
rently accessing the shared program (210). if 
the number of users is less than the limit then 
access is allowed (214). If the number of users is 
equal to (or greater than) the limit, then access 
is denied (212). 



to 

o 

m 



FIG. 2 



-A 



200 



REQUEST 
TO ACCESS A FEATURE 



I 



r202 



COUNT USERS CURRENTLY 
USING THE FEATURE 



DECRYPT ACCESS LIMIT 




r208 



DEMY ACCESS 



-X- 



212 



DENY ACCESS 



ALLOW ACCESS 



Q. 
IU 



Jouve, 18, rue Saint-Denis, 75001 PARIS 



1 



EP 0 597 599 A2 



2 



Technical Field 

This invention relates to the field of data process- 
ing, and, more specifically, to the field of limiting ac- 
cess to software wherein the limit may be changed by 
the licensor. 

Background of the Invention 

In software licensing agreements, especially for 
multi-user software, licensors commonly include con- 
tractual limits on the number of users who may have 
access to the software, the number of simultaneous 
users, and/or the number of total accesses. This is 
particularly important in licenses for multi-user soft- 
ware packages used in telephone switching systems 
where software-controlled features are licensed on a 
per-line basis. A problem in the art is that there is no 
effective method of enforcing and policing such 
agreements even with audits of software usage 
and/or site inspections. 

Summary of the Invention 

This problem is solved and a technical advance 
is achieved in the art by a method for establishing li- 
censor changeable limits on shared software usage 
without the licensor having access to the system on 
which the shared software is running. An encrypted 
numerical limit value is embedded in the licensed 
software (program); when the program is executed 
("accessed"), as a first step, the program decrypts 
the limit value and compares it to the number of users 
currently accessing the shared program. If the num- 
ber of users is less than the limit then access is al- 
lowed. If the number of users is equal to (or greater 
than) the limit, then access is denied. The licensor 
may supply the licensee with a new encrypted limit 
value to raise the number of allowed accesses. 

Since the licensee does not have access to the 
encryption algorithm, it cannot change the limit value. 
If the licensee attempts to enter a random string as 
the encrypted limit value and the decrypted value is 
not valid, then access is denied to everyone. Further- 
more, the number of accesses to the encrypted value 
may be limited (i.e., two or three times a week), to pre- 
vent the licensee from attempting to determine the 
encryption algorithm. 

In the context of a telephone switching system, 
features provided to customers are generally control- 
led by shared software packages ("programs"). In 
this context, each time a customer is allowed access 
to a protected feature, the encrypted limit is decrypt- 
ed and compared with the number of users currently 
using the feature. If the number of users is less than 
the limit then the user is allowed to use the feature. 
Otherwise, the user is not allowed to use the feature. 
The encrypted limit, an alphanumeric string, can be 



changed using standard field update facilities. 

Brief Description of the Drawing 

5 FIG. 1 is a block diagram of a switching network 

configuration, including an exemplary embodi- 
ment of this invention; 

FIG. 2 is a flow chart of the general implementa- 
tion of an exemplary embodiment of this inven- 
10 tion; 

FIG. 3 is an exemplary maintenance screen as 
displayed on the maintenance console of FIG. 1 
illustrating an update of the encrypted alphanu- 
meric string; 

15 FIG. 4 is an exemplary maintenance screen as 

displayed on the maintenance console of FIG. 1 
illustrating an update of user access to a shared 
feature; and 

FIG. 5 is a flow chart describing another exem- 
20 plary embodiment of this invention. 

Detailed Description 

This invention will be described in connection 

25 with the telephone switching system, as illustrated in 
FIG. 1, but the application of this system is much 
broader. For example, a method for establishing li- 
cense or changeable limits on shared programs ac- 
cording to this invention may be used in a general pur- 

30 pose, program-controlled computer system. 

The telephone switching network configuration 
of FIG. 1 has two central office switches, 100 and 
200, and inter-switch signaling network 250, e.g., a 
common channel signaling (CCS7) network and illus- 

35 trative communications stations, including conven- 
tional analog telephone station sets 23, 25, and 201, 
an integrated services digital network (ISDN) tele- 
phone set 11 , and data terminal 1 3. Switches 1 00 and 
200 are interconnected by communication path 26, 

40 which may include intermediate switches. 

Illustratively, switch 100 is a distributed control 
ISDN electronic switching system such as the system 
disclosed in U.S. Patent 4,592,048, issued to M. W. 
Beckner, et aL, on May 27, 1 986. Alternatively, switch 

45 100 may be a distributed control, analog or digital 
switch, such as a 5 ESS® switch manufactured by 
AT&T and described in the AT&T Technical Journal, 
v. 64, No. 6, July/August, 1985, pages 1303-1564. 
Switch 100 includes a number of switching mod- 

so ules (SMs 110, 120, 130), each associated with a dif- 
ferent set of telephone station sets or trunks. Each 
switching module includes a control unit for controlling 
connections to and from its associated telephone sta- 
tion sets or trunks. Switching module 110, for exam- 

55 pie, includes control unit 110 for controlling connec- 
tions to and from telephone station set 11. Switching 
module 120 includes control unit 121 for controlling 
connections to and from station set 23. Each control 
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unit comprises a processor 125 and memory 126. 
Each memory 126 includes a database 127, wherein 
processor 125 stores configuration and operational 
data, as is known in the art For example, lists of fea- 
tures associated with telephone station sets 23 and 
25 are stored in database 127. Features such as call 
forwarding, three-way calling, and the like are con- 
trolled by software programs stored in memory 126, 
and executed by processor 125, using data stored in 
database 127. 

The architecture of switch 100 includes commu- 
nication module (CM) 150 as a hub with switching 
modules 110, 120, and 130, and an administrative 
module (AM) 160 emanating therefrom. AM 160 pro- 
vides maintenance and provisioning information and 
commands to SMs 110, 120, and 130, as is known in 
the art, from maintenance terminal 165. 

Switching module 110 terminates digital sub- 
scriber lines, e.g. 12. Switching module 120 termin- 
ates conventional analog lines (i.e., tip ring pairs), 22, 
24, and provides circuit-switched c/nnections to and 
from associated telephone sets 23, and 25. Switching 
module 130 is similar to switching modules 110 and 
120, but includes the appropriate analog or digital 
trunk unit (not shown) for interfacing with the outgo- 
ing trunks included in communication path 26 to 
switch 200. To complete the description of switch 100, 
communication module 150 acts as a switch fabric for 
communication among switch modules and adminis- 
trative module (AM) 160. Switch 200 is shown con- 
nected to a conventional analog telephone station set 
201, for purposes of illustration. The architecture of 
switch 200 and the types of telephone station sets 
served by switch are not important to the present in- 
vention and are thus not described further. 

In the context of switch 100, the method for es- 
tablishing licensor changeable limits on software us- 
age can be used illustratively to limit the number of tel- 
ephone subscribers who can subscribe to a particular 
feature, for example, call forwarding. It is well known 
in the art that features such as call forwarding are li- 
censed by switch vendors to customers (operating 
companies) on a per-line basis. For example, call for- 
warding may be provided on switch 100 for 5,000 
lines. It is in the licensor's interest, therefore, to have 
a mechanism that limits the number of lines (users) 
that may use call forwarding at any given time. If the 
operating company has more users that want call for- 
warding than the limit allows, the operating company 
may request and pay for additional line allocations, 
wherein the vendor may supply a new limit. 

Turning now to FIG. 2, a flow chart for a general 
case of this invention is shown. During the building of 
the executable program that controls the switching 
system, a library is linked into the program, as is 
known in the art, controlling the feature program (in 
this example the call forwarding feature), which in- 
cludes a decryption algorithm and a routine to deter- 



mine whether to allow access to the program. This 
routine follows the general flow chart shown in FIG. 
2. Starting in box 200, a request is received to access 
a particular feature. In box 202 a count is made of the 
s users currently using the feature. In box 204 the ac- 
cess limit is decrypted using the algorithm loaded 
when the program was built. The specific encryption 
algorithm is not important to this invention, as any en- 
cryption algorithm may be used without departing 
10 from the scope of this invention. It is to the licensor's 
benefit, of course, to have a difficult encryption algo- 
rithm to prevent licensees from reverse engineering 
the encryption algorithm. 

Processing continues to decision diamond 206 
15 where a determination is made whether the decrypt- 
ed access limit is valid. The decrypted limit is com- 
pared to a range of known values. If the limit is out of 
range or does not decrypt into a numerical value, then 
it is presumed that the encrypted access limit has 
20 been tampered with. Therefore, if, in decision dia- 
mond 206, the decryption access limit is not valid, 
then access to the feature is denied in box 208. 

if, in decision diamond 206, the decrypted access 
limit is valid, then processing proceeds to decision di- 
25 amond 210, where a determination is made if the 
number of users is less than the decrypted access 
limit If the number of users is greater than the de- 
crypted access limit, then, in box 212, access to the 
feature is denied. If the number of current users is 
30 less than the decrypted access limit, then in box 214, 
access is allowed. 

Turning now to FIG. 3, a screen as displayed on 
maintenance terminal 165 (FIG. 1) is shown, illustrat- 
ing the access limit update screen. As stated above, 
35 the encrypted access limit may be changed. This fea- 
ture is advantageous when, for example, the licensee 
desires to have more users access a particular fea- 
ture, for example, call forwarding. The licensee would 
pay for the increased number of lines to use the fea- 
40 ture, and the licensor would provide the licensee with 
a new encrypted access limit In FIG. 3, a string rep- 
resenting an encrypted access limit is shown at 300. 
The string may be changed using the maintenance 
console keyboard. Field 310 shows the current ac- 
45 cess limit, which is the maximum allowable users for 
the particular feature. Field 310 equals the decrypted 
access limit 300. 320 shows the number of users cur- 
rently accessing the protected feature. Preferably, 
the encrypted access limit field 300 may be changed 
so only a few times over a predetermined time period. 
For example, allowing changes to the encrypted ac- 
cess limit field 300 three times a week, aids in pre- 
venting a licensee from attempting to reverse engi- 
neer the encryption algorithm by replacing the field 
55 randomly until a valid string is found. 

Turning now to FIG. 4, a screen showing a feature 
selection list for a particular subscriber (user) is 
shown. When the licensee allows a subscriber access 



3 



5 



EP 0 597 599 A2 



6 



to a feature, for example, call forwarding, the licensee 
updat%s the subscriber's profile. A typical update 
screen is shown in the example of FIG. 4. The sub- 
scriber is identified by telephone number and then a 
list of available features is displayed. For example, 5 
call forwarding 400 is allowed for this subscriber. Call 
waiting 410 and three-way calling 420 are not al- 
lowed. When call forwarding 400 is allowed, that is, 
the "NO" is changed to "YES", as illustrated. During 
such updates, the licensed software checks to deter- 10 
mine if the licensee has reached the license limit for 
allowing access to the shared software (i.e., the call 
forwarding feature). If the license limit has been 
reached, the software will not allow the update. In 
this example, the "YES" will automatically turn to 15 
"NO". 

This embodiment is further useful when ISDN 
subscribers may turn features on or off by themselves 
at any given time. A screen (such as FIG. 4), may be 
displayed at a remote terminal 13 (FIG. 1), controlling 20 
features for telephone 11 (FIG.1). Up to 5,000 sut> 
scribers may use call forwarding at any given time, but 
the operating company may allow more than that 
number of subscribers the ability to use call forward- 
ing. In this example, when a subscriber attempts to 25 
turn on a feature, the licensed software may permit 
only 5,000 subscribers to use call forwarding. 

This invention may also be used to limit the ab- 
solute number of telephone subscribers (users) sub- 
scribing to features such as call forwarding. A main- 30 
tenance screen such as FIG. 4 is displayed each time 
a telephone subscriber feature is changed. When a 
change is made (changing a "NO" to 'YES" in field 
400 to allow this subscriber to use call forwarding, for 
example), the system checks to determine whether 35 
the limit of the number of subscribers that have call 
forwarding available has been reached. If the sub- 
scriber limit has not been reached, then the feature is 
allowed for this subscriber. If the limit is reached, then 
the feature is denied. 40 

A further use for this invention is to turn software 
(program) protected by this invention "OFF 11 as pro- 
vided by the licensor, and then "ON" after a license 
fee is paid. The encrypted alphanumeric string sets a 
limit of zero for turning the program "OFF" and sets a 45 
limit of infinity for "ON". This may be useful, for exam- 
ple, when software is provided with a system as an 
option that may be turned on later. The licensor does 
not have to supply different or additional software for 
each customer. The licensor merely supplies the ap- so 
propriate encrypted string according to what the li- 
censee has paid for. 

This invention may also be used to control the to- 
tal number of accesses which may be made to a fea- 
ture, in other words, this invention may be used to al- 55 
low a licensee to use a particular feature 5,000 times 
and no more. This aspect of this invention may be 
useful, for example, for software operable on a per- 



sonal computer, or other system where the licensee 
may desire a limited license to use software. In this 
embodiment, each time any user attempts to access 
the license feature, a check is made of the total num- 
ber of previous accesses, which is compared with the 
license limit. Both the access limit and the count of 
the total number of previous accesses are stored in 
encrypted form to prevent unauthorized change. FIG. 
5 illustrates a flow chart according to this embodi- 
ment of the invention. 

In box 500, a request is made to access the pro- 
gram, and, in box 502, the count of previous accesses 
is decrypted from an encrypted, stored value. Proc- 
essing continues to decision diamond 504 where a 
determination is made if the decrypted count is valid. 
The decrypted count may not be valid if it is out of a 
certain range or alternatively does not decrypt into a 
numeric value. The count may be out of range or non- 
numeric if the licensee attempts to change the en- 
crypted count of previous accesses. If the decrypted 
count is not valid, then access is denied in box 506. 
If in decision diamond 504 the decrypted count is val- 
id, then processing continues to box 508 where the 
access limit is decrypted. Processing continues to de- 
cision diamond 510 where a determination is made if 
the decrypted access limit is valid. The parameters 
for validity of the limit are generally the same as for 
the decrypted count If the decrypted access limit is 
not valid, then access is denied in box 512. 

If the decrypted access limit is valid in decision 
diamond 510, then processing continues to decision 
diamond 514 where the determination is made if the 
count is less than the limit. If the count is not less than 
the limit, then access is denied in box 516. If the count 
is less than the limit, then in decision diamond 514 
processing continues to box 518 where the count is 
incremented. In box 520. the count is then encrypted 
so that it may be stored in a form that the licensee 
cannot modify. Processing ends in box 522 where ac- 
cess is allowed to the feature or software. 



Claims 

1. A method for providing licensor control of the 
number of users accessing one or more licensed 
programs in a computer system arranged to exe- 
cute a plurality of licensed programs, wherein one 
or more of said plurality of licensed programs is 
accessible by a plurality of users, without said li- 
censor having access to said computer system, 
said method comprising the steps of: 

requesting access to said program (200); 

establishing a limit value by decrypting a 
portion of a previously encrypted alphanumeric 
string provided by said licensor (204); 

comparing said limit value to the number 
of users currently accessing said program (210); 
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denying access to said program if said 
number is greater than said limit value (212); and 

allowing access to said program if said 
number is less than said limit value (214). 

2. A method according to claim 1 wherein said en- 
crypted alphanumeric string may be updated by 
said licensee replacing said encrypted alphanu- 
meric string with a further encrypted alphanume- 
ric string provided by said licensor, thus permit- 
ting said licensor to change the limit value of the 
number of users. 

3. A method according to claim 2 wherein the num- 
ber of licensee updates of said encrypted alpha- 
numeric string over a predetermined period of 
time is limited to aid in preventing said licensee 
from determining the encryption algorithm. 

4. A method according to claim 1 further comprising 
the step of verifying that said limit value is a valid 
numeric value after said step of decrypting said 
encrypted alphanumeric string; and 

denying access to said licensed program if 
said limit value is not a valid numeric value, so 
that said licensee cannot replace said encrypted 
alphanumeric string with random values in order 
to circumvent the encryption algorithm. 

5. A method of limiting the number of accesses to a 
licensed program in a computer system arranged 
to execute said licensed program, wherein said li- 
censed program is accessible a limited number of 
times, said limit being set by a licensor, without 
said licensor having access to said computer sys- 
tem comprising the steps of: 

requesting access to said program (500); 

establishing a number of accesses by de- 
crypting a previously encrypted first alphanume- 
ric string (502); 

establishing a limit by decrypting a previ- 
ously encrypted second alphanumeric string 
(508); 

comparing said limit to the number of ac- 
cesses (514); 

if said number of accesses is equal to or 
greater than said limit, denying access to said 
feature (516); and 

if said number of accesses is less than 
said limit, allowing access to said feature (522), 
incrementing said number of accesses (518), and 
encrypting said number of accesses into said first 
alphanumeric string (520). 

6. A method according to claim 5 wherein said sec- 
ond encrypted alphanumeric string may be up- 
dated by a licensee replacing said second en- 
crypted alphanumeric string with a further en- 



crypted alphanumeric string provided by said li- 
censor, thus permitting a licensor to change the 
limit value of the number of accesses without 
having access to said computer system. 

5 

7. A method according to claim 6 wherein the num- 
ber of updates of said second encrypted alphanu- 
meric string over a predetermined period of time 
is limited to prevent a licensee from determining 

10 the encryption algorithm. 

8. A method according to claim 5 further comprising 
the steps of verifying that said number of access- 
es is a valid numeric value after said step of de- 
ls crypting said first encrypted alphanumeric string; 

verifying that said limit is a valid numeric 
value after said step of decrypting said second 
encrypted alphanumeric string; and 

denying access to said licensed program if 
20 said number of accesses or said I imit is not a val id 

numeric value, to prevent said licensor from re- 
placing said first or second encrypted alphanu- 
meric string with random values in order to cir- 
cumvent the encryption. 

25 

9. A method for providing licensor control to limit the 
number of users accessing one or more features 
simultaneously in a telephone switching system 
providing a plurality of features, wherein one or 

30 more of said features is accessible by a plurality 

of users, without said licensor having access to 
said switching system, said method comprising 
the steps of: 

requesting access to said feature; 
35 establishing a limit value by decrypting a 

portion of a previously encrypted alphanumeric 
string provided by said licensor 

comparing said limit to the number of 
users currently accessing said feature; 
40 denying access to said feature if said num- 

ber is greater than said limit; and 

allowing access to said feature if said num- 
ber is less than said limit. 

45 10, A method according to claim 9 wherein said en- 
crypted alphanumeric string may be updated by 
a licensee replacing said encrypted alphanume- 
ric string with a further encrypted alphanumeric 
string provided by said licensor, thus permitting a 

so licensor to change the limit value of the number 
of users without having access to said system. 

11. Amethod according to claim 10 wherein the num- 
ber of updates of said encrypted alphanumeric 
55 string over a predetermined period of time is lim- 

ited to aid in preventing a licensee from circum- 
venting the encryption algorithm. 
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12. Amethod according to claim 9 further comprising 
the step of verifying that said limit is a valid nu- 
meric value after said step of decrypting said en- 
crypted alphanumeric string; and 

denying access to said feature if said limit 5 
is not a valid numeric value, to prevent said li- 
censee from replacing said encrypted alphanu- 
meric string with random values in order to cir- 
cumvent the encryption algorithm. 

10 

13. A system for providing licensor control of the 
number of users accessing said one or more fea- 
tures in a telephone switching system having a 
plurality of features, wherein one or more of said 
features is accessible by a plurality of users, with- 15 
out said licensor having access to said switching 
system, said control system comprising: 

means responsive to a request for access 
to a controlled feature for decrypting a portion of 
a previously encrypted alphanumeric string pro- 20 
vided by said licensor to establish a limit value; 
and 

means responsive to said decrypted limit 
value for comparing said limit to the number of 
users currently accessing said feature, wherein 25 
said comparing means denies access to said fea- 
ture if said number is greater than said limit and 
allows access to said feature if said number is 
less than said limit. 

30 

14. A system according to claim 1 3 further including 
means for updating said encrypted alphanumeric 
string that replaces said encrypted alphanumeric 
string with a further encrypted alphanumeric 
string provided by said licensor, thus permitting a 35 
licensor to change the limit value of the number 

of users. 

15. A system according to claim 14 further including 
means for limiting the number of updates of said 40 
encrypted alphanumeric string over a predeter- 
mined period of time to prevent a licensee from 
circumventing the encryption algorithm. 

16. A system according to claim 1 3 further compris- 45 
ing means for verifying that said limit is a valid nu- 
meric value responsive to said decrypting means, 

said verifying means denying access to said fea- 
ture if said limit is not a valid numeric value, thus 
preventing said licensor from replacing said en- 50 
crypted alphanumeric string with random values 
in order to circumvent the encryption algorithm. 
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